Just patch Java? Easier said than done

You'd think the seriousness of the latest Java threat would force companies to patch or turn off Java in a hurry. It's not that simple

InfoWorld|Jan 16, 2013

Every company whose security I've audited has a Java problem -- an ongoing one that long predates the current threat.

Java provides a convenient attack vector for most of the malware arriving in companies -- not just the annoying stuff, but advanced persistent threats, money stealers, and more. Despite the intricate nature of the recently discovered flaw, simply keeping Java patches up to date (including the latest Oracle patch) would vastly decrease the risk.

So why, in literally every company I've audited, does Java remain so badly patched?

Mainly, it's the number of mission-critical enterprise apps tied to specific Java versions. In case after case, IT security people say they can't patch Java in a more timely manner because doing so breaks too many vital applications.

In other words, this dependency is not just an excuse -- it's not the same as, say, neglecting to keep your Windows Server patches up to date. Patching Java presents an operational risk because it has a better chance than nearly any other patching operation of breaking applications. For every patch, you may well need to commit serious resources to testing.

No wonder, then, that the IT people involved complain about how they are powerless to do anything -- how their very jobs would be at risk if they caused the predicted operational interruption. I understand their frustration, but not their powerlessness.

I wonder what would happen if IT told the CIO, the CEO, the board of directors, that "Hey, we recognize our No. 1 problem, and it's been the No. 1 problem for years, but we're throwing our hands up and not doing anything about it." I wonder how senior management would respond?

If you are tired of unpatched Java being a continuing unresolved problem, if you are tired of business units always pushing back saying you can't upgrade Java because it will break their apps, don't politely ask them anymore. Instead, create a whitepaper for your company. Show them how unpatched Java is wrecking havoc across the enterprise. Show them how Java is the No. 1 problem and causing the most risk.

Then present the challenges. Then present the solutions. Then send this paper to your boss and hopefully up the chain of command until it reaches and gets approved by the CIO.

You can't fix the problem, because of the potential operational issues, until you have the seal of approval from senior management. So get on with it! Get senior management involved.

I can't think of a C-level officer, when shown his company's No. 1 problem in a particular area, who won't feel a fiduciary duty to commit the resources to allow his people to solve that problem. Not doing so would put that officer at risk to his own bosses.

In most companies senior management has no idea that Java is their No. 1 problem. I'll go further: In most companies, most of the IT security staff doesn't understand that Java is their No. 1 problem. How can you expect to solve your problems if the senior managers involved and the worker bees don't understand the risks and threats?

That's the silver lining behind this latest and most serious threat: No one can ignore the problem anymore. Responsible companies are going to need to carve out the resources to address it.